As companies grow and evolve, the processes within them rarely grow and evolve to keep pace. Workarounds become abundant, managers make compromises and practices that might look shady in the public eye grow far too common. Although you might have addressed GDPR's rules, that doesn't mean you are safe from compliance penalties.
Most companies already have security issues, even if their leaders think they're safe. For example, URL structures sometimes capture and display customer information in the address bar. On websites with internal search options, users often include personal information such as ZIP codes in their searches. Those queries travel from search bar to analytics tool to content management system.
When personal information makes that journey, it usually slips past traditional privacy screenings. Even chatbots and messaging systems can create data collection issues when customers send personally identifying information, such as Social Security numbers, through chat interfaces.
These are common data security leaks, but by no means do they form a comprehensive list. To bolster your security, use the season of GDPR compliance as a launching point toward compliance in all areas of data security, beginning with a gap analysis.
Taking the right measure
A gap analysis is a comprehensive catalog and review of all your data collection touchpoints. This includes, but is certainly not limited to, data processes, privacy policies, data capture, retention and deletion policies.
The first step is to catalog all your data processes. To understand where compliance gaps exist, figure out what types of data you collect, then follow that data to see how it's stored, used, shared, and deleted. Your catalog will provide a foundation for your new data strategy.
Look for common data collection points, such as marketing automation platforms, order forms, customer communications, rewards programs and website submissions. For smaller operations, an electronic spreadsheet should be enough to keep track. Larger operations should invest in more robust tools and tech.
Identifying which types of information to catalog can quickly become a time-consuming task—different departments use data in different ways, after all. To cover all your bases, think about data collection via three avenues: data you collect directly, data you gain via tracking and data you add to your databases from non-customer sources. All this data empowers companies to provide better services, improve the customer experience, and optimize marketing strategies, but in the age of GDPR, a lax approach to that data's storage could carry consequences.
Even if you perform a thorough initial analysis, odds are good that you will miss something on the first pass. So rather than try to catch everything in one go, start small. Build momentum by cataloging and managing small sets of data or data within one department, then branch out, using the lessons you learned to improve the process moving forward.
If you aren't sure where to start, think about places where you found data anomalies in the past. Review GDPR and other data compliance rules to which your company is subject, then dive into the parts of your company's data with high exposure to risk, potentially incomplete data processes, and insufficient security. Remember to include employee education as part of your security improvements—not even the most robust data strategy is safe from human error.
Proper data security goes far beyond just GDPR compliance. Use this season of change to take a hard look at your data processes. Not only will you comply, but you will protect your company from future breaches, fines, and bad press.